Spoofing

Spoofing is the activity of deliberatelyconfusing an electronic system, usually with the intent of having it report or use false data. IP spoofing is one modern example. Finding a radar frequency used by an enemy and sending signals to such radars designed to make them display nonexistent contacts is another example. The Global Positioning System has measures in place to prevent an enemy from broadcasting their own (incorrect) version of the GPS signal to confuse GPS receivers - at least, military ones.

Spoofing is the act of faking the source address and port of a outgoing packet. It is used to make other systems believe that the said packet has been sent by another host. There are multiple reasons to spoof (most of them are not legitimate):

To create a Denial of Service (DoS for short) to the target without people being able to trace you back easily.

To fool the logging systems into thinking that someone else did something (such as trying to brute force passwords).

To fool host-based protections, such as a firewall. This is what Kevin Mitnick used.

There are many kinds of spoofing techniques. The most common one is IP Spoofing, since IP is the protocol the interet is based on. Spoofing IP packets is quite easy. All that you need to do is change the source address and the source port in the packet you want to spoof. However, since IP is just a protocol whose purpose is just to get a packet from a place to another, it is NEVER used by itself. For this reason, modifying the header of the protocol used in the payload of the ip packet might also be necessary.

TCP is the most widely used protocol under IP, as it is used for things like http, ftp, imap, pop3, smtp. It's goals are to make sure that the data has been successfully received by the target host, even on a line with heavy packet loss. For this reason, it has various mechanisms that enable the sending host to know when a packet has been received by the target, and if it hasn't, to send it again. This is done by having two variables in each packet: the ACK (Acknowlegement) number and the SEQ (sequence) number. These two values are generated randomly at the beginning of the connection and updated, afterwards, in each packet sent. For these reasons, spoofing TCP connections is quite difficult. However, there are clever techniques that enable people to spoof tcp connections.

The first technique is called nonblind spoofing. It consists in using a host between the target and a host that cannot reply to packets (it can be down, inexistant or even DoSed) to spoof. Since the host that is being used is between those two, it can read the packets sent from the target to the downed host. Because of that, The attacker can send packets with source address the downed host and still read the 'answers' from the target and can therefore send other packets to the target with valid ACK and SEQ values. This type of TCP spoofing is not too hard to perform, but assumes that you have access to a router.

The other method, blind spoofing is a lot more difficult to perform, but does not require the attacker to have access to routers or gateways. The way it works is that some operating systems do not generate ACK and SEQ numbers randomly enough, when the connection is made. For example, some old operating systems use a constant value for their ISN (Initial Sequence Number). Others, such as Windows 95, 98, NT, have a ISN which is dependent on time. For example, ISN1 = X, ISN2 = X + AMOUNT_OF_TIME_PASSED_SINCE_LAST_REQUEST. This can be easily predicted. Other more recent systems are also vurnerable to this kind of attack. In fact, the algorithm they use to generate random ISNs might not be good enough, generating numbers that can be predicted with a little work. The only problem with this technique is that it will not allow the attacker to read the responses from the target, making it only suitable for batch jobs, such as a smtp session.

UDP, is also often used under IP, mostly for applications that do not require every packet to arrive to the target. A good example for this is online games such as Quake. Because of this fact, there are no mechanisms that make sure that no packet is received. Therefore, no extra work is required to spoof a packet using this protocol. UDP spoofing is mostly used to do UDP floods.

ICMP is used to transmit errors and other kinds of semi-important information from one host to another. For this reason, this protocol is, just like UDP, very easy to spoof. It probably is the most spoofed protocol. In fact, ICMP spoofing is used for the very popular smurf attack.

In finance, spoofing is a form of market manipulation, illegal in the United States since 2010, in which a trader (the "spoofer") places unreasonably large fake buy or sell orders in an effort to trick the market into driving the price in one direction or the other. If it works, the spoofer then takes the other side of the trade, cancels the original order, and then profits as the market bounces back to its original equilibrium.

For example, lets say the bid price on one "widget" is $100 and the ask price is $105. A spoofer might initiate a limit order to short sell 100,000 widgets at a price of $104. The hope is that other market participants will see this massive order and think that people want to sell widgets, so they will lower their price to front-run an anticipated drop in the price of widgets. The spoofer then places a buy order for 100 widgets at a price of $101. If the spoof works, sure enough, the relatively small buy order fills at $101. The spoofer then immediately cancels the huge sell order. With the massive sell order now out of the order book, the bid and ask prices immediately rebound to their initial $100 and $105, respectively. The spoofer now places another fake order to buy 100,000 widgets at $101, as well as an order to sell the 10 newly-acquired widgets at $104. With the spoof moving in the opposite direction, someone out there sees the huge buy order and thinks the price of widgets is about to go up, and the spoofer is able to complete the spoof by selling his just-acquired 10 widgets for the bid price of $104, clearing a profit of a sweet, sweet $30.

So spoofing is basically an elaborate form of bluffing. The spoofer has to be very careful, and very fast, especially at canceling the fake buy and sell orders, because they are theoretically putting something like $20 million at risk to make a profit of just $30. If the market moves against them suddenly, before they can cancel the fake orders, they can lose a lot of money in the blink of an eye.

If this sounds pretty stupid, it's because it kind of is. Why would anyone do this, and more importantly, why the heck would anyone fall for it? Well it turns out, as stupid as this sounds, it actually works. Of course no actual person would fall for the same spoof going in two opposite directions within the course of a few minutes or a few seconds, but it turns out that in modern financial markets, the vast majority of trading is high-frequency automated trading conducted by computers, based on algorithms and carried out on a time scale of miliseconds. And it turns out that a lot of these algorithms take the size of outstanding limit orders into account when trying to front-run tiny changes in price. Thus, the modern spoofer is essentially outsmarting relatively dumb computer algorithms.

In the United States, spoofing was made illegal in the 2010Dodd-Frank Act, and is now treated as a form of wire fraud. However, despite its illegality, the ethics of spoofing are somewhat interesting, because its intended victim is not a person, and also because it's not always easy to say where the line between legal trading and illegal spoofing should be drawn. After all, the spoofer is not actually trading on secret information or withholding any crucial information from counterparties, and under most circumstances, it is perfectly legal to place orders, even very large orders, and then later change your mind and cancel them. Indeed, the spoofer's supposed crime is transparently conducted right out in the open. It is only through an analysis of the exact sequence of orders, trades, and cancellations that the spoof becomes apparent.

Moreover, the spoofer's spoof doesn't really impact long-term investors at all - in fact, it only takes money away from high-frequency robo-traders. Insofar as many people consider high-frequency trading to be a menace that front-runs the market and steals money from honest investors, the spoofers may actually be heroes, and the high-frequency traders should only have themselves to blame for not writing smarter algorithms. Of course the US government clearly disagrees, and the illegalization of spoofing is a tacit argument/admission that high-frequency trading is a valuable and necessary part of market making in modern financial markets. It also turns out that large-scale spoofing, while highly lucrative for the spoofer, can have profoundly disruptive effects on markets. For example the so-called "Flash Crash" of May, 2010, in which US stock markets crashed around 10%, only to recover within a few minutes, has recently been blamed in part on the spoofing activity of a small-time spoofer trading on his home computer from his house in London.